TP send AS2 message, got error: processed/error: authentication-failed

Hello Webmethods Experts,

We have a problem in PROD with our new Trading Partner (TP), lets call it “A”.

We are able to send EDIINT message to TP “A” successfully. But when TP “A” are trying to send to us, it is got error “processed/error: authentication-failed”.

The other TP are going fine. When we tested this TP in DEV, it was went well.

We have load TP certificate in MWS for

  • Sign/Verify
  • Encrypt/Decrypt
  • SSL

We have load TP certificate in IS Server Truststore List also.
We are using Webmethods 10.3.

Our certificate setting are:

  • Content-Type: application/EDIFACT
  • Digest Algorithm: SHA-1
  • Encryption Algorithm: TripleDES
  • Request MDN: synchronousMDN
  • Request Signed Receipt: true
  • SMIME type: SignedAndEncrypted
  • watt.net.jsse.server.enabledProtocols=SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2

The guy from TP “A” that support the system said that he loaded the certificates correctly on his side.
He shared this setting as below:

  • Encryption Algorithm: 3DES
  • Signature Algorithm: SHA1
  • SSLEnabledProtocols: TLSv1.0, TLSv1.1 & TLSv1.2
  • Send Message Security: Sign and Encrypt
  • Send Message Security: Sign & Encrypt
  • MDN : Signed & Synchronous

I found there is nothing wrong with their setting, but somehow the transactions from them still got error.
I assumed there is no problem with our certificate since it is working well with other TPs.

And because the error is too simple to troubleshoot,
I have enabled for IS logging no:

  • 0006 (Server SSL Interface)
  • 0007 (Authorization)
  • 0009 (Certificate)
  • 0012 (Authentication)
    But nothing is captured related to above error.

Any idea which logging that I need to enable so it will help me to troubleshoot?
Or any idea on how to solve this issue?

Appreciate any help.

Thank you,
Fanny T

Please take a look at this EDIINT from MWS. If there is no payload on the Content tab like below. That means company A uses the wrong certificate to encrypt the payload and you can not decrypt it.

Hello Rocky,

Thanks for the suggestion. In MWS, EDIINT only contains “ediintdata”. There is no inputs and payloads.
We are not able to decrypt the EDI contents.

This is inside “ediintdata”, the rest message is scrambled word:

Accept-Encoding: gzip, deflate
Content-Length: 4749
AS2-To: B_PROD
AS2-From: A_PROD
AS2-Version: 1.2
EDIINT-Features: CEM, multiple-attachments, AS2-Reliability
Date: Fri, 06 Nov 2020 03:56:04 GMT
Message-Id: <B_PROD-20201104-213724848-AbuF@A_PROD_B_PROD>
Disposition-Notification-To: request-mdn@none.org
Disposition-Notification-Options: signed-receipt-protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha1
X-Powered-By: XXXXXX
Mime-Version: 1.0
Content-Type: application/pkcs7-mime; smime-type=enveloped-data; name=“smime.p7m”
Content-Disposition: attachment; filename=“smime.p7m”

I am totally agree with you may be the TP “A” uses the wrong certificate, but the question is how to prove to them that they are using the wrong certificate?
They insisted that they installed the certificate correctly. :frowning:

That’s why i am trying to increase the logging level. But still not able to capture meaningful error to troubleshoot.
I will try to increase all under EDI_Module, hopefully it will works.

I am open to any other suggestion.

Thank you,
Fanny T

There are 3 steps like below:

  1. Double-check that the ca-certificates of this public certificate are put into truststore.
  2. May ask TP “A” to double-check the serial number of this public certificate.
  3. May also verify that your private key matches this public certificate by OpenSSL.

Hi Rocky,

Thanks for the answer.

We have verified item #1 and #2. I can confirmed it is done and confirmed with TP “A”.

However, could you advise on how to verify private key with OpenSSL?

Thank you.

Best Regards,
Fanny T

  1. How to verify if a Private Key Matches a Certificate?

refer to: https://www.ibm.com/support/pages/how-verify-if-private-key-matches-certificate

  1. How to convert from .cer to .crt?

openssl x509 -in server.cer -out server2.crt -inform DER

Hi Rocky,

Thanks for the information provided. Really helpful.

Anyway, finally we managed to sort out the problem.
TP “A” was putting “ Content-Type: text/plain ” in EDIINT setting which is causing the issue.
Once they changed to “ Content-Type: application/EDIFACT ”, the transmission is successfully received.

Thank you.

Best Regards,
Fanny T

1 Like

Hi,

be careful with these file extension as they do not always indicate the real file format.
I.e. Windows is proposing cer extension for both formats (plain text/CER and binary/DER).

You can check this by opening the file in doubt in a text editor.
Plain text looks somewhat human readable and has two lines “BEGIN CERTIFICATE” and “END CERTIFICATE” in it.
Binary format doesn´t look readable to humans.

Regards,
Holger

Hi Fanny,
I am glad to hear good news. I made a test with “ Content-Type: text/plain” and got a positive MDN from a partner like below. I doubt that “ Content-Type: text/plain ” in the EDIINT setting which is causing the issue “authentication-failed”.

Hi Rocky,

Mmmm… interesting. But that what Partner told us.
Anyway thanks for validating it. Really appreciate it.

Best Regards,
Fanny T